Cyber criminals are launching more and more sophisticated attacks on U.S. wireless consumers.
Research reveals that financial fraud and spam via SMS texts is now growing at a rate of over 300 percent year over year. Cloudmark is currently tracking over 20 unique, financial related SMS attacks in the United States with thousands of variants on each attack. The attack techniques are becoming increasingly sophisticated and can include any combination of rapidly changing content, phone numbers and MSISDN (a number uniquely identifying a mobile subscription).
To protect themselves, smartphone users must become aware of the telltale signs of SMS fraud and spam. There are a number of SMS attacks that research has recently investigated. Two prominent examples include loan and gift card scams and the more malicious credit card and bank fraud attacks.
For the loan and gift card attacks, the scammers’ business model is based on referrals for loans, via either web redirects that send traffic immediately to an affiliate program or by accepting applications that are forwarded to affiliate programs.
For the banking and credit card fraud attacks, generally speaking, the text in each fraudulent SMS appears as if it is coming from a major bank or credit card company such as Wells Fargo or Visa. The attackers, also known as phishers, are sending texts with messages such as “Your Visa card has been deactivated. Please call [number] to reactivate it.” When an unwitting recipient calls the number, they are asked for their name, bank card number, account number, expiration date, security/pin code and/or address – all the data the criminals need to gain access to their credit card or bank account. Just what these cyber criminals can do with the data is quite alarming. In some cases criminals have created an actual replica of a victim’s bank card from the data provided. See how these cards can be replicated.
Even if a user believes that a message is legitimate, Cloudmark recommends that users never click on the embedded phone numbers displayed in the SMS text. Rather, they should access contact details from the main number listed on their bank’s website or access their account directly from the bank’s website.
Additionally, many US operators now have measures in place that enable users to report suspected fraudulent or spam messages by texting 7726 or “SPAM” via their mobile device. Users should check with their operators to learn if the 7726 reporting service is available.
Cyber criminals are increasingly moving from targeted phishing attacks via email to mobile messaging. With email attacks becoming less profitable, cyber criminals are looking elsewhere to launch successful, efficient and cost-effective attacks. SMS text messaging offers a target rich environment for cyber criminals.
With the explosive growth in text messaging, approximately six billion text messages are sent daily in the United States, along with unlimited texting plans it barely costs anything for the attackers to send malicious SMS texts. This combined with the trust users inherently have in their mobile devices makes it an environment rife for attack.
SMS text messaging attacks have the potential to cause far more damage than those in email. According to Hugh McCartney, Cloudmark’s CEO, “There is a substantial difference in the profile of attacks on mobile versus email. With the global email we analyze, most of the attacks are spam, but financial fraud remains a very small percentage of email – not more than 10 percent overall. Conversely, our mobile data research reveals that more than half of SMS spam is composed of targeted attacks focused on extracting financial account information or enticing the subscriber to call premium rate numbers, usually with immediate financial impact to the mobile user.”